SonicWall Warns of Escalating Cyberattacks Targeting Gen 7 Firewalls in Last 72 Hours

SonicWall has issued an urgent security advisory following a significant increase in cyber incidents targeting its Gen 7 SonicWall firewalls over the past 72 hours.

The company is actively investigating a wave of attacks that appear to be focused on devices where the Secure Sockets Layer Virtual Private Network (SSLVPN) feature is enabled.

In a statement released to partners and customers, SonicWall confirmed it is analyzing a surge of both internally and externally reported threat activity.

The alert has been amplified by prominent third-party cybersecurity research teams, including Arctic Wolf, Google’s Mandiant, and Huntress, who have also observed and highlighted the malicious campaigns.

At the core of the investigation is the critical question of whether the ongoing attacks are exploiting a previously disclosed vulnerability or if threat actors are leveraging a new, undiscovered flaw.

“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible,” the company stated.

SonicWall has assured its user base that it is working closely with external threat research partners to dissect the attacks and identify the root cause. The company has committed to providing continuous updates as the investigation progresses and pledged to release updated firmware and clear instructions promptly if a new vulnerability is confirmed.

In the meantime, SonicWall has strongly advised all customers using Gen 7 firewalls to take immediate defensive measures to mitigate their exposure. The primary recommendation is to disable SSLVPN services wherever practical.

For organizations where disabling SSLVPN is not a viable option, SonicWall has outlined a series of crucial security steps that should be implemented immediately:

• Restrict Access: Limit SSLVPN connectivity exclusively to known and trusted source IP addresses.
• Enable Security Services: Activate features such as Botnet Protection and Geo-IP Filtering to help detect and block known malicious actors that target SSLVPN endpoints.
• Enforce Multi-Factor Authentication (MFA): While enabling MFA for all remote access is a critical best practice to reduce the risk of credential abuse, SonicWall issued a significant warning. Some reports suggest that MFA enforcement alone may not be sufficient to protect against the specific activity currently under investigation.
• Audit User Accounts: Administrators are urged to remove any inactive or unused local user accounts on the firewall, paying special attention to those with permissions for SSLVPN access.
• Practice Password Hygiene: All user accounts should be reviewed to ensure they adhere to strong password policies, with regular updates encouraged.

SonicWall is urging all users to remain vigilant and apply these mitigations without delay.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches